SAP Cloud Platform, API Management offers many out of the box API Security best practices which can be customized based on your enterprise requirements. These API Security Best Practices includes security policies for Authentication and Authorization, Traffic Management and many more.

In this blog, we would cover the scenario of raising alerts whenever a code injection threat (SQL Threat/ XXE attack) is detected. This scenario can be easily modeled using the Message Logging Policy from SAP Cloud Platform API Management to log any security threats detected into a Loggly tenant and then using the raise alerts features from Loggly to send email notifications, whenever an cloud threat is detected.

In the blog we have used Loggly as the Third Party Logging server, alternatively other logging server like Splunk could be used.

Prerequisites

Customer Token from Loggly tenant

Navigate to the Source Setup and then click on the tab Customer Tokens to fetch your Loggly token. This token would have to be used in the Message Logging Policy later in the section Log Regular Protection Threats.

The above snippet would log the api proxy name for which the threat was detected and also add tag Threat Detection to the log message. This tag would be used to create custom alerts on Loggly server in section Configuring Alerts on Loggly Server.

Edit the policy snippet added to post log message to Loggly server to use your customer token configured in the Loggly tenant as explained in section Customer Token from Loggly tenant by replacing the text YOUR_LOGGLY_TENANT_CUSTOMER_TOKEN (highlighted in previous screenshot) with your Loggly customer token.

In the Condition String specify the following condition to log messages only when a threat is detected (i.e the Regular Expression Policy failure cases)

regularexpressionprotection.failed = true

Click on the + button next to the Raise Fault Policy available under theMediation Policies segment.

In the Create policy screen specify the policy name say raiseAccessDeniedError and then click on the Add button.

Select the newly created raiseAccessDeniedError policy and add the following policy snippet to return the error with status code 403 and Access denied error.

RaiseFault Policy allows to return custom error message to the client. The above policy snippet would return the error response with the HTTP status set to 403 and the reason phrase is set to Access denied.

In the Condition String specify the following condition to raise access denied error only when a threat is detected (i.e the Regular Expression Policy failure cases)

regularexpressionprotection.failed = true

Click on the Update button to save the Policy changes

Click on the Save button to save the changes to API Proxy.

With this we have successfully applied a Message Logging Policy to log the threats detected via Regular Threat detection to a Third Party logging server like Loggly and raise 403 access denied error.

Configuring Alerts on Loggly Server

In this section we would cover the steps to configure alerts on the Loggly server.

Next to the text field All Sources, enter the text tag=”Threat Detection”, to create custom search to identify log messages with the tag Threat Detection. This tag is used in Message logging policy while logging detected threats. From the time window field, select last 30 minutes options

Click on the Favorites ( * icons) to save the search field as custom search field and then select the option Save this search as.

In Create Saved Search dialog, enter the name of custom search say Threat Detection and then select option Save then create alert.

In the Add Alert dialog, enter the name and description of the alert say Cloud Threat Detection, specify the alert conditions, enter the email address to which the alert email notifications should be sent and then click on the Save button.

The newly created alert would appear under the Alert tab

With this we have successfully created an Alert in Loggly tenant to send email notification whenever more than 10 log messages with tags Threat Detection is received in a given window of 1 hour.

Finally testing the flow

Navigate to the Test tab from the hamburger icon

From the APIs list search for the API Proxy that you would like to test say GatewayServiceRestrictedAccess and then click the API to test.

Click on the Authentication: None link and select Basic Authentication to set the user credential to connect to the SAP Gateway ES4 system